TSP plans RFP to improve data center security by year's end

By
Ruben Gomez

Ruben Gomez, reporter, Federal News Radio

The Federal Retirement Thrift Investment Board plans to issue, by Dec. 31, a
request for proposal on a new contract for Thrift Savings Plan data center
services.

The contract will include "very stringent" IT security requirements aimed at
preventing future data breaches, such as one announced two months ago that
affected 123,000 TSP
accounts, said Greg Long, the agency's executive director, Tuesday before the
Senate Homeland Security and Governmental Affairs subcommittee on Oversight of
Government Management, the Federal Workforce and the District of Columbia.

"We're in the process of designing the procurement action," Long said. "We
anticipate rolling that out on the street by the end of this calendar year, and
then awarding next fiscal year."

FRTIB spokeswoman Kim Weaver told Federal News Radio the agency decided to restructure the contract last fall, well before it found out about the cyber attack.

"I anticipate that the incumbent typically is a bidder," Long said. "But it will be a full and open competition. We are seeking robust competition from all parties."

Shorter data retention schedules might improve privacy

Long said beyond improving network security, agencies can reduce their risks of
security breaches by shortening the retention times for documents containing
personal information.

"Currently, [the law governing FRTIB] does not contain a statute of limitations
for judicial review of a claim for benefits brought by a TSP participant or
beneficiary," Long said in written testimony.
"This indefinite exposure to potential litigation over benefits forces the TSP to
retain records of benefits paid for an unlimited period of time, even after a
participant's account balance has been completely disbursed and he or she is no
longer a participant. The absence of a statute of limitations, therefore, results
in an extraordinary record retention burden, which increases the data potentially
available to be accessed through a cyber attack or other data breach."

The Government Accountability Office also advocates for shorter data retention
periods among FRTIB and other agencies.

"The principle is just, ‘for as long as you need the information, keep it, protect
it. Once that need no longer exists, get rid of it, delete it,'" said Greg
Wilshusen, GAO's director of information security issues.

But agency leaders are hesitant to embrace the concept, said Mary Ellen Callahan,
the Homeland Security Department's outgoing chief privacy officer. "One because
they already have an approved retention period from the National Archives, and you
don't want to go counter to that. And second, there's also the question about
whether or not it affects operations if you delete information on a more
subjective standard as Mr. Wilshusen had argued."

This story is part of Federal News Radio's daily Cybersecurity Update. For
more cybersecurity news, click here.